While performing an Internet security scan (aka penetration test) for a UK corporate customer, I've discovered that version 5 of Borderware Firewall generates predictable initial TCP sequence numbers in response to incoming SYNs. The observed pattern is the familiar "64k increments" often seen on older Unix kernels. This allows TCP connections to be established with a spoofed source address. I've only seen this behaviour on Borderware 5, but I suspect that this is a generic Kernel issue that would affect previous versions as well. Would anyone with earlier versions care to check to see if they are vulnerable? (If you want a test program, drop me an Email and I'll send you the C source of the tool I use). After being informed of this issue, Borderware Technologies, Inc. have reproduced the problem and plan to address it in the next release. As long as Borderware doesn't use source IP address for authentication, then this is probably not a serious issue. However, I guess that it would be possible to send "perfectly spoofed" Email - complete with fake connecting IP address using a spoofed SMTP session... It's surprised that such a well-known issue on a Firewall with significant market-share has not been discovered before. Does this mean that ICSA certification and field-testing failed to pick this up, or just failed to report it? Roy Hills NTA Monitor Ltd -- Roy Hills Tel: 01634 721855 NTA Monitor Ltd FAX: 01634 721844 6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:45 PDT